PAjamian writes: Two years ago Red Hat announced an end to its public source code availability. This caused a great deal of outcry from the Enterprise Linux community at large. Since then many have waited for a statement from the Free Software Foundation concerning their stance on the matter. Now, nearly two years later the FSF has finally responded to questions regarding their stance on the issue with the following statement:

When asked if the FSF would be willing to intervene on behalf of the community they had this to say:

Following is the full text of my original email to them and their response:

Subject: Statement about recent changes in source code distribution for Red Hat Enterprise Linux
Date: 2023-07-16 00:39:51

> Hi,
>
> I'm a user of Red Hat Enterprise Linux, Rocky Linux and other Linux
> distributions in the RHEL ecosystem. I am also involved in the EL
> (Enterprise Linux) community which is being affected by the statements
> and changes in policy made by Red Hat at
> https://www.redhat.com/en/blog/furthering-evolution-centos-stream and
> https://www.redhat.com/en/blog/red-hats-commitment-open-source-
> response-gitcentosorg-changes
> (note there are many many more links and posts about this issue which
> I
> believe you are likely already aware of). While a few of these
> questions are answered more directly by the license FAQ some of them
> are
> not and there are a not insignificant number of people who would very
> much appreciate a public statement from the FSF that answers these
> questions directly.
>
> Can you please comment or release a statement about the Free Software
> Foundation's position on this issue? Specifically:
>

Thank you for writing in with your questions. My apologies for the delay, but we are a small team with limited resources and can be challenging keeping up with all the emails we receive.

Generally, we don't agree with what Red Hat is doing. Whether it constitutes a violation of the GPL would require legal analysis and the FSF does not give legal advice. However, as the stewards of the GNU GPL we can speak how it is intended to be applied and Red Hat's approach is certainly contrary to the spirit of the GPL. This is unfortunate, because we would expect such flagship organizations to drive the movement forward.

> Is Red Hat's removal of sources from git.centos.org a violation of the
> GPL and various other Free Software licenses for the various programs
> distributed under RHEL?
>
> Is Red Hat's distribution of source RPMs to their customers under
> their
> subscriber agreement sufficient to satisfy the above mentioned
> licenses?
>
> Is it a violation if Red Hat terminates a subscription early because
> their customer exercised their rights under the GPL and other Free
> Software licenses to redistribute the RHEL sources or create
> derivative
> works from them?
>
> Is it a violation if Red Hat refuses to renew a subscription that has
> expired because a customer exercised their rights to redistribute or
> create derivative works?
>
> A number of the programs distributed with RHEL are copyrighted by the
> FSF, some examples being bash, emacs, GNU core utilities, gcc, gnupg
> and
> glibc. Given that the FSF has standing to act in this matter would
> the
> FSF be willing to intervene on behalf of the community in order to get
> Red Hat to correct any of the above issues?
>

As of today, we are not aware of any issue with Red Hat's new policy that we could pursue on legal grounds. However, if you do find a violation, please [follow these instructions][0] and send a report to <license-violation@gnu.org>.

[0]: https://www.gnu.org/licenses/gpl-violation.html

If you are interested in something more specific on this, the Software Freedom Conservancy [published an article about the RHEL][1] situation and hosted a [panel at their conference in 2023][2]. These cover the situation fairly thoroughly.

[1]: https://sfconservancy.org/blog/2023/jun/23/rhel-gpl-analysis/
[2]: https://sfconservancy.org/blog/2023/jul/19/rhel-panel-fossy-2023/

The US company v-Fluence secretly compiled profiles on over 500 food and environmental health advocates, scientists, and politicians in a private web portal to discredit critics of pesticides and GM crops. Following public backlash and corporate cancellations after its actions were revealed by the Guardian, the company announced it was shutting down the profiling service. The Guardian reports: The profiles -- part of an effort that was financed, in part, by US taxpayer dollars -- often provided derogatory information about the industry opponents and included home addresses and phone numbers and details about family members, including children. They were provided to members of an invite-only web portal where v-Fluence also offered a range of other information to its roster of more than 1,000 members. The membership included staffers of US regulatory and policy agencies, executives from the world's largest agrochemical companies and their lobbyists, academics and others.

The profiling was one element of a push to downplay pesticide dangers, discredit opponents and undermine international policymaking, according to court records, emails and other documents obtained by the non-profit newsroom Lighthouse Reports. Lighthouse collaborated with the Guardian, the New Lede, Le Monde, Africa Uncensored, the Australian Broadcasting Corporation and other international media partners on the September 2024 publication of the investigation. News of the profiling and the private web portal sparked outrage and threats of litigation by some of the people and organizations profiled. [...]

v-Fluence says it not only has eliminated the profiling, but also has made "significant staff cuts" after the public exposure, according to Jay Byrne, the former Monsanto public relations executive who founded and heads the company. Byrne blamed the company's struggles on "rising costs from continued litigator and activist harassment of our staff, partners, and clients with threats and misrepresentations." He said the articles published about the company's profiling and private web portal were part of a "smear campaign" which was based on "false and misleading misrepresentations" that were "not supported by any facts or evidence." Adding to the company's troubles, several corporate backers and industry organizations have cancelled contracts with v-Fluence, according a post in a publication for agriculture professionals.

Google has updated its public AI principles page to remove a pledge to not build AI for weapons or surveillance. TechCrunch reports: Asked for comment, the company pointed TechCrunch to a new blog post on "responsible AI." It notes, in part, "we believe that companies, governments, and organizations sharing these values should work together to create AI that protects people, promotes global growth, and supports national security." Google's newly updated AI principles note the company will work to "mitigate unintended or harmful outcomes and avoid unfair bias," as well as align the company with "widely accepted principles of international law and human rights." Further reading: Google Removes 'Don't Be Evil' Clause From Its Code of Conduct

An anonymous reader quotes a report from TechCrunch: TechCrunch gathered data from several sources and found similar trends. In 2024, 966 startups shut down, compared to 769 in 2023, according to Carta. That's a 25.6% increase. One note on methodology: Those numbers are for U.S.-based companies that were Carta customers and left Carta due to bankruptcy or dissolution. There are likely other shutdowns that wouldn't be accounted for through Carta, estimates Peter Walker, Carta's head of insights. [...] Meanwhile, AngelList found that 2024 saw 364 startup winddowns, compared to 233 in 2023. That's a 56.2% jump. However, AngelList CEO Avlok Kohli has a fairly optimistic take, noting that winddowns "are still very low relative to the number of companies that were funded across both years."

Layoffs.fyi found a contradicting trend: 85 tech companies shut down in 2024, compared to 109 in 2023 and 58 in 2022. But as founder Roger Lee acknowledges, that data only includes publicly reported shutdowns "and therefore represents an underestimate." Of those 2024 tech shutdowns, 81% were startups, while the rest were either public companies or previously acquired companies that were later shut down by their parent organizations. So many companies got funded in 2020 and 2021 at heated valuations with famously thin diligence, that it's only logical that up to three years later, an increasing number couldn't raise more cash to fund their operations. Taking investment at too high of a valuation increases the risk such that investors won't want to invest more unless business is growing extremely well. [...]

Looking ahead, Walker also expects we'll continue to see more shutdowns in the first half of 2025, and then a gradual decline for the rest of the year. That projection is based mostly on a time-lag estimate from the peak of funding, which he estimates was the first quarter of 2022 in most stages. So by the first quarter of 2025, "most companies will have either found a new path forward or had to make this difficult choice." "Tech zombies and a startup graveyard will continue to make headlines," said Dori Yona, CEO and co-founder of SimpleClosure. "Despite the crop of new investments, there are a lot of companies that have raised at high valuations and without enough revenue."

The FBI warned this week that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. From a report: The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks. "North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI said.

"North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities." To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.

Leaders at CERN, Europe's particle-physics laboratory in Geneva, Switzerland, will introduce financial incentives for academic publishers to adopt open science policies as part of the organization's collective agreement with 11 particle-physics journals. From a report: The current scheme sees those journals publish work from the field openly and at no cost to authors, in exchange for bulk payments. Under the newly launched initiative, CERN will pay more to publishers that adopt polices such as use of public or open peer review and linking research to data sets, and less to those that do not. Some open-science specialists say the policy could be a game-changer in encouraging transparent science. Others caution that it could set a precedent for publishers to boost their fees in exchange for becoming more open. "Particle physics is large, international, highly complex, highly dynamic. Openness is the only really effective way of practising science in the discipline," says Kamran Naim, head of open science at CERN.

The move comes as a result of CERN's success in encouraging journals that publish its work to do so more openly, through a programme called the Sponsoring Consortium for Open Access Publishing in Particle Physics (SCOAP3). SCOAP3 launched in 2014 and its members include 3,000 libraries, research funders and research organizations worldwide, all of which contribute to a common fund at CERN. This is used to pay annual or quarterly lump sums to journals, in amounts depending on how many papers they publish. The initiative has so far supported the publication of more than 70,000 open-access articles. It has an annual budget of around $10.4 million.

An anonymous reader quotes a report from Ars Technica: When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that. J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.

The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice. "While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years," the researchers wrote. "The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation." The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed.

The World Economic Forum's Global Risks Report 2025 (PDF) highlights misinformation as the top global risk due to generative AI tools and state-sponsored campaigns undermining democratic systems, while cyberespionage ranks as a persistent threat with inadequate cyber resilience, especially among small organizations. From a report: The manipulation of information through gen AI and state-sponsored campaigns is disrupting democratic systems and undermining public trust in critical institutions. Efforts to combat this risk have a "formidable opponent" in gen AI-created false or misleading content that can be produced and distributed at scale, the report warned. Misinformation campaigns in the form of deepfakes, synthetic voice recordings or fabricated news stories are now a leading mechanism for foreign entities to influence "voter intentions, sow doubt among the general public about what is happening in conflict zones, or tarnish the image of products or services from another country." This is especially acute in India, Germany, Brazil and the United States.

Concern remains especially high following a year of the so-called "super elections," which saw heightened state-sponsored campaigns designed to manipulate public opinion. But while it has become increasingly difficult to distinguish AI-generated fake content from human-generated one, AI technologies, in itself, is low in WEF's risk ranking. In fact, it has declined in the two-year outlook, from 29 in last year's report to 31 this year.

Cyberespionage and warfare continue to be a reason for unease for most organizations, ranked fifth in the global risk landscape. According to the report, one in three CEOs cited cyberespionage and intellectual property theft as their top concerns in 2024. Seventy-one percent of chief risk officers say cyber risk and criminal activity such as money laundering and cybercrime could severely impact their organizations, while 45% of cyber leaders are concerned about disruption of operations and business processes, according to WEF's Global Cybersecurity Outlook 2025 report. The rising likelihood of threat actor activity and sophisticated technological disruption is listed as immediate concerns among security leaders.

An anonymous reader quotes a report from the New York Times: A Russian organization linked to the Kremlin's covert influence campaigns posted more than 8,000 political advertisements on Facebook despite European and American restrictions barring companies from doing business with the organization, according to three organizations that track disinformation online. The Russian group, the Social Design Agency, evaded lax enforcement by Facebook to place an estimated $338,000 worth of ads aimed at European users over a period of 15 months that ended in October, even though the platform itself highlighted the threat, the three organizations said in a report released on Friday.

The Social Design Agency has faced punitive sanctions in the European Union since 2023 and in the United States since April for spreading propaganda and disinformation to unsuspecting users on social media. The ad campaigns on Facebook raise "critical questions about the platform's compliance" with American and European laws, the report said. [...] The Social Design Agency is a public relations company in Moscow that, according to American and European officials, operates a sophisticated influence operation known as Doppelganger. Since 2022, Doppelganger has created cartoon memes and online clones of real news sites, like Le Monde and The Washington Post, to spread propaganda and disinformation, often about the war in Ukraine.

[...] The organizations documenting the campaign -- Check First, a Finnish research company, along with Reset.Tech in London and AI Forensics in Paris -- focused on efforts to sway Facebook users in France, Germany, Poland and Italy. Doppelganger has been also linked to influence operations in the United States, Israel and other countries, but those are not included in the report's findings. [...] The researchers estimated that the ads resulted in more than 123,000 clicks by users and netted Meta at least $338,000 in the European Union alone. The researchers acknowledged that the figures provide only one, incomplete example of the Russian agency's efforts. In addition to propagating Russia's views on Ukraine, the agency posted ads in response to major news events, including theHamas attack on Israel on Oct. 7, 2023, and a terrorist attack in a Moscow suburb last March that killed 145 people. The ads would often appear within 48 hours, trying to shape public perceptions of events. After the Oct. 7 attacks, the ads pushed false claims that Ukraine sold weapons to Hamas. The ads reached more than 237,000 accounts over two to three days, "underscoring the operation's capacity to weaponize current events in support of geopolitical narratives," the researcher's report said.

U.K. public sector and critical infrastructure organizations could be banned from making ransom payments under new proposals from the U.K. government. From a report: The U.K.'s Home Office launched a consultation on Tuesday that proposes a "targeted ban" on ransomware payments. Under the proposal, public sector bodies -- including local councils, schools, and NHS trusts -- would be banned from making payments to ransomware hackers, which the government says would "strike at the heart of the cybercriminal business model."

This government proposal comes after a wave of cyberattacks targeting the U.K. public sector. The NHS last year declared a "critical" incident following a cyberattack on pathology lab provider Synnovis, which led to a massive data breach of sensitive patient data and months of disruption, including canceled operations and the diversion of emergency patients. According to new data seen by Bloomberg, the cyberattack on Synnovis resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases.

While CES wraps up this week, "Not all innovation is good innovation," warns Elizabeth Chamberlain, iFixit's Director of Sustainability (heading their Right to Repair advocacy team). So this year the group held its fourth annual "anti-awards ceremony" to call out CES's "least repairable, least private, and least sustainable products..." (iFixit co-founder Kyle Wiens mocked a $2,200 "smart ring" with a battery that only lasts for 500 charges. "Wanna open it up and change the battery? Well you can't! Trying to open it will completely destroy this device...") There's also a category for the worst in security — plus a special award titled "Who asked for this?" — and then a final inglorious prize declaring "the Overall Worst in Show..."

Thursday their "panel of dystopia experts" livestreamed to iFixit's feed of over 1 million subscribers on YouTube, with the video's description warning about manufacturers "hoping to convince us that they have invented the future. But will their vision make our lives better, or lead humanity down a dark and twisted path?" The video "is a fun and rollicking romp that tries to forestall a future clogged with power-hungry AI and data-collecting sensors," writes The New Stack — though noting one final irony.

"While the ceremony criticized these products, YouTube was displaying ads for them..."

UPDATE: Slashdot reached out to iFixit co-founder Kyle Wiens, who says this teaches us all a lesson. "The gadget industry is insidious and has their tentacles everywhere."

"Of course they injected ads into our video. The beast can't stop feeding, and will keep growing until we knife it in the heart."

Long-time Slashdot reader destinyland summarizes the article: "We're seeing more and more of these things that have basically surveillance technology built into them," iFixit's Chamberlain told The Associated Press... Proving this point was EFF executive director Cindy Cohn, who gave a truly impassioned takedown for "smart" infant products that "end up traumatizing new parents with false reports that their baby has stopped breathing." But worst for privacy was the $1,200 "Revol" baby bassinet — equipped with a camera, a microphone, and a radar sensor. The video also mocks Samsung's "AI Home" initiative which let you answer phone calls with your washing machine, oven, or refrigerator. (And LG's overpowered "smart" refrigerator won the "Overall Worst in Show" award.)

One of the scariest presentations came from Paul Roberts, founder of SecuRepairs, a group advocating both cybersecurity and the right to repair. Roberts notes that about 65% of the routers sold in the U.S. are from a Chinese company named TP-Link — both wifi routers and the wifi/ethernet routers sold for homes and small offices.Roberts reminded viewers that in October, Microsoft reported "thousands" of compromised routers — most of them manufactured by TP-Link — were found working together in a malicious network trying to crack passwords and penetrate "think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others" in North America and in Europe. The U.S. Justice Department soon launched an investigation (as did the U.S. Commerce Department) into TP-Link's ties to China's government and military, according to a SecuRepairs blog post.

The reason? "As a China-based company, TP-Link is required by law to disclose flaws it discovers in its software to China's Ministry of Industry and Information Technology before making them public." Inevitably, this creates a window "to exploit the publicly undisclosed flaw... That fact, and the coincidence of TP-Link devices playing a role in state-sponsored hacking campaigns, raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year."

TP-Link won the award for the worst in security.

"Microsoft's Digital Crimes Unit is taking legal action to ensure the safety and integrity of our AI services," according to a Friday blog post by the unit's assistant general counsel. Microsoft blames "a foreign-based threat-actor group" for "tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft's, to create offensive and harmful content.

Microsoft "is accusing three individuals of running a 'hacking-as-a-service' scheme," reports Ars Technica, "that was designed to allow the creation of harmful and illicit content using the company's platform for AI-generated content" after bypassing Microsoft's AI guardrails: They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use. Microsoft is also suing seven individuals it says were customers of the service. All 10 defendants were named John Doe because Microsoft doesn't know their identity.... The three people who ran the service allegedly compromised the accounts of legitimate Microsoft customers and sold access to the accounts through a now-shuttered site... The service, which ran from last July to September when Microsoft took action to shut it down, included "detailed instructions on how to use these custom tools to generate harmful and illicit content."

The service contained a proxy server that relayed traffic between its customers and the servers providing Microsoft's AI services, the suit alleged. Among other things, the proxy service used undocumented Microsoft network application programming interfaces (APIs) to communicate with the company's Azure computers. The resulting requests were designed to mimic legitimate Azure OpenAPI Service API requests and used compromised API keys to authenticate them. Microsoft didn't say how the legitimate customer accounts were compromised but said hackers have been known to create tools to search code repositories for API keys developers inadvertently included in the apps they create. Microsoft and others have long counseled developers to remove credentials and other sensitive data from code they publish, but the practice is regularly ignored. The company also raised the possibility that the credentials were stolen by people who gained unauthorized access to the networks where they were stored...

The lawsuit alleges the defendants' service violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act and constitutes wire fraud, access device fraud, common law trespass, and tortious interference.

Remember that massive botnet run by Chinese government hackers? Flax Typhoon "compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan," according to the U.S. Treasury Department. (The group's botnet breaching this autumn affected "at least 260,000 internet-connected devices," reports the Washington Post, "roughly half of which were located in the United States.")

Friday America's Treasury Department sanctioned "a Beijing-based cybersecurity company for its role in multiple computer intrusion incidents against U.S. victims..." according to an announcement from the department's Office of Foreign Assets Control. "Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure."

From the Washington Post: The group behind the attacks was active since at least 2021, but U.S. authorities only managed to wrest control of the devices from the hackers in September, after the FBI won a court order that allowed the agency to send commands to the infected devices...

Treasury's designation follows sanctions announced last month on Sichuan Silence Information Technology Company, in which U.S. officials accused the company of exploiting technology flaws to install malware in more than 80,000 firewalls, including those protecting U.S. critical infrastructure. The new sanctions on Beijing Integrity Technology are notable due to the company's public profile and outsize role in servicing China's police and intelligence services via state-run hacking competitions. The company, which is listed in Shanghai and has a market capitalization of more than $327 million, plays a central role in providing state agencies "cyber ranges" — technology that allows them to simulate cyberattacks and defenses...

In September, FBI Director Christopher A. Wray said the Flax Typhoon attack successfully infiltrated universities, media organizations, corporations and government agencies, and in some cases caused significant financial losses as groups raced to replace the infected hardware. He said at the time that the operation to shut down the network was "one round in a much longer fight...." A 2024 assessment by the Office of the Director of National Intelligence said China is the most "active and persistent" cyberthreat and that actors under Beijing's direction have made efforts to breach U.S. critical infrastructure with the intention of lying in wait to be able to launch attacks in the event of major conflict.
"The Treasury sanctions bar Beijing Integrity Technology from access to U.S. financial systems and freeze any assets the company might hold in the United States," according to the article, "but the moves are unlikely to have a significant effect on the company," (according to Dakota Cary, a fellow at the Atlantic Council who has studied the company's role in state-sponsored hacking).

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

A Linux Foundation project focused on understanding the health of the open source community just studied the outcomes for three projects that switched to "more restrictive" licenses and then faced community forks.

The data science director for the project — known as Community Health Analytics in Open Source Software (or CHAOSS) — is also an OpenUK board member, and describes the outcomes for OpenSearch, Redis with fork Valkey, and Terraform: The relicensed project (Redis) had significant numbers of contributors who were not employed by the company, and the fork (Valkey) was created by those existing contributors as a foundation project... The Redis project differs from Elasticsearch and Terraform in the number of contributions to the Redis repository from people who were not employees of Redis. In the year leading up to the relicense, when Redis was still open source, there were substantial contributions from employees of other companies: Twice as many non-Redis employees made five or more commits, and about a dozen employees of other companies made almost twice as many commits as Redis employees made.

In the six months after the relicense, all of the external contributors from companies (including Amazon, Alibaba, Tencent, Huawei and Ericsson) who contributed over five commits to the Redis project in the year prior to the relicense stopped contributing. In sum, Redis had strong organizational diversity before the relicense, but only Redis employees made significant contributions afterward.

Valkey was forked from Redis 7.2.4 on March 28, 2024, as a Linux Foundation project under the BSD-3 license. The fork was driven by a group of people who previously contributed to Redis with public support from their employers. Within its first six months, the Valkey repository had 29 contributors employed at 10 companies, and 18 of those people previously contributed to Redis. Valkey has a diverse set of contributors from various companies, with Amazon having the most contributors.
The results weren't always so clear-cut. Because Terraform always had very few contributors outside of the company, "there was no substantial impact on the contributor community from the relicensing event..." (Although the OpenTofu fork — a Linux Foundation project — had 31 people at 11 organizations who made five or more contributions.)

And both before and after Elasticsearch's relicensing, most contributors were Elastic employees, so "the 2021 relicense had little to no impact on contributors." (But the OpenSearch fork — transferred in September to the Linux Foundation — shows a more varied contributor base, with just 63% of additions and 64% of deletions coming from Amazon employees who made 10 or more commits. Six people who didn't work for Amazon made 10 or more commits, making up 11% of additions and 13% of deletions.")

So "Looking at all of these projects together, we see that the forks from relicensed projects tend to have more organizational diversity than the original projects," they conclude, adding that in general "projects with greater organizational diversity tend to be more sustainable..."

"You can dive into the details about these six projects in the paper, presentation and data we shared at the recent OpenForum Academy Symposium.

Social media giants confronted a familiar dilemma over user content moderation after murder suspect Luigi Mangione's arrest in the killing of UnitedHealthcare's CEO on Monday, highlighting the platforms' varied approaches to managing digital footprints of criminal suspects.

Meta quickly removed Mangione's Facebook and Instagram accounts under its "dangerous organizations and individuals" policy, while his account on X underwent a brief suspension before being reinstated with a premium subscription. LinkedIn maintained his profile, stating it did not violate platform policies. His Reddit account was suspended in line with the platform's policy on high-profile criminal suspects, while his Goodreads profile fluctuated between public and private status.

The New York Times adds: When someone goes from having a private life to getting public attention, online accounts they intended for a small circle of friends or acquaintances are scrutinized by curious strangers -- and journalists.

In some cases, these newly public figures or their loved ones can shut down the accounts or make them private. Others, like Mr. Mangione, who has been charged with murder, are cut off from their devices, leaving their digital lives open for the public's consumption. Either way, tech companies have discretion in what happens to the account and its content. Section 230 of the Communications Decency Act protects companies from legal liability for posts made by users.

Bruce Perens, original co-founder of the Open Source Initiative, has responded to questions from Slashdot readers about a new alternative he's developing that hopefully helps "Post Open" developers get paid.

But first, "One of the things that's clear from the Slashdot patter is that people are not aware of what I've been doing, in general," Perens says. "So, let's start by filling that in..."

Read on for the rest of his wide-ranging answers....

A broad coalition of Canada's major news organizations, including the Toronto Star, Metroland Media, Postmedia, The Globe and Mail, The Canadian Press and CBC, is suing tech giant OpenAI, saying the company is illegally using news articles to train its ChatGPT software. From a report: It's the first time all of a country's major news publishers have come together in litigation against OpenAI. The suit, filed in Ontario's Superior Court of Justice Friday morning, seeks punitive damages, disgorgement of any profits made by OpenAI from using the news organizations' articles, and an injunction barring OpenAI from using any of the news articles in the future.

"Journalism is in the public interest. OpenAI using other companies' journalism for their own commercial gain is not. It's illegal," said a joint statement from the media organizations, which are represented by law firm Lenczner Slaght.

American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. From a report: The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.

This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.

It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.

Blue Yonder, a Panasonic subsidiary specializing in AI-driven supply chain solutions, experienced a recent ransomware attack that impacted many of its customers. "Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven," reports BleepingComputer. From the report: On Friday, the company warned that it was experiencing disruptions to its managed services hosting environment due to a ransomware incident that occurred the day before, on November 21. "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident," reads the announcement. "Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols."

Blue Yonder claims it has detected no suspicious activity in its public cloud environment and is still processing multiple recovery strategies. [...] As expected, this has impacted clients directly, as a spokesperson for UK grocery store chain Morrisons has confirmed to the media they have reverted to a slower backup process. Sainsbury told CNN that it had contingency plans in place to overcome the disruption. A Saturday update informed customers that the restoration of the impacted services continued, but no specific timelines for complete restoration could be shared yet. Another update published on Sunday reiterated the same, urging clients to monitor the customer update page on Blue Yonder's website over the coming days.